Operational Resilience Audit

Posts about:

Operational Resilience (6)

certification, Blended Learning, Operational Resilience, OR-5000, OR-300, OR-400, OR-200

[ORA-5] ORA-5000 Blended Learning Course Schedule 2024

Sep 22, 2023 5:24:28 PM

ORA-5000 Operational Resilience Audit Expert 2024 Course Schedule

Click any of the "Run #" icons in each table below to learn more about the course schedule you are interested in. The breakdown of each run by Modules 1 to 4 is also illustrated.

The schedule is appended below.

Year & Run	[BL-ORA-5] 2024 Run 2
Quarter	Two (May to Jun 24)

Start Date	8 May 24	24 May 24	7 Jun 24	21 Jun 24
End Date	15 May 24	31 May 24	14 Jun 24	28 Jun 24

NOTE: Run 2 class starting at 2 PM GMT+8

Year & Run	[BL-ORA-5] 2024 Run 2A
Quarter	Two (Jun to Jul 24)

Start Date	4 Jun 24	18 Jun 24	4 Jul 24	18 Jul 24
End Date	11 Jun 24	25 Jun 24	11 Jul 24	25 Jul 24

NOTE: Run 2A class starting at 9 PM GMT+8

Click FAQ icon to check the timing for your region. Read, "I noticed that the course is held at Asian time. Is there any time for me as I reside outside the Asia Pacific Region?"

Year & Run	[BL-ORA-5] 2024 Run 3
Quarter	Three (Jul to Sep 24)

Start Date	31 Jul 24	14 Aug 24	26 Aug 24	9 Sep 24
End Date	13 Aug 24	21 Aug 24	2 Sep 24	17 Sep 24

NOTE: Run 3 class starting at 2 PM GMT+8

Note that 16 Sep 24 is a Public Holiday in Malaysia (Prophet Muhammad's birthday). The class will resume on the following day, i.e. 17 Sep 24

Year & Run	[BL-ORA-5] 2024 Run 3A
Quarter	Three (Sep to Oct 24)

Start Date	6 Sep 24	27 Sep 24	10 Oct 24	24 Oct 24
End Date	19 Sep 24	4 Oct 24	17 Oct 24	30 Oct 24

NOTE: Run 3A class starting at 9 PM GMT+8

Year & Run	[BL-ORA-5] 2024 Run 4
Quarter	Four (Oct to Dec 24)

Start Date	27 Oct 24	6 Nov 24	21 Nov 24	5 Dec 24
End Date	10 Nov 24	13 Nov 24	28 Nov 24	12 Dec 24

NOTE: Run 4 class starting at 2 PM GMT+8

Year & Run	[BL-ORA-5] 2024 Run 4A
Quarter	Four (Oct to Dec 24)

Start Date	27 Oct 24	11 Nov 24	27 Nov 24	11 Dec 24
End Date	10 Nov 24	18 Nov 24	4 Dec 24	18 Dec 24

NOTE: Run 4A class starting at 9 PM GMT+8

+ For ORCP/ ORAS/ ORAE Qualifying Examination:

The program manager will advise on the next step once you enrol in the course.

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

	Please feel free to send us a note if you have any questions.

Azizah Nurdin

Operational Resilience, Hong Kong Monetary Authority

Guidelines on Operational Resilience by the Hong Kong Monetary Authority

Jun 16, 2023 4:22:09 PM

Guidelines on Operational Resilience by the Hong Kong Monetary Authority

Operational resilience is critical for financial institutions in ensuring uninterrupted services and maintaining the financial system's stability. The Hong Kong Monetary Authority (HKMA) has issued guidelines to provide a comprehensive framework for financial institutions in Hong Kong to enhance their operational resilience.

Referring to the actual "Supervisory Policy" or "SPM OR-2" is important, which sets out HKMA’s approach and supervisory expectations on operational resilience. Refer to the guideline by clicking on the HKMA webpage.

Objective

This blog aims to provide participants attending the Operational Resilience Implementer and Expert Implementer course with global or regional responsibilities to understand the:

The general principles outlined by the Hong Kong Monetary Authority (HKMA) that institutions must consider when developing their operational resilience framework.
Guidelines and be able to compare with those issued by other central banks from other regional justifications.

Definition of Operational Resilience

Operational resilience refers to a financial institution's ability to consistently deliver critical operations and services, even during disruptions or unexpected events.

It encompasses the organisation's ability to prevent, adapt, respond, and recover from operational disruptions to maintain continuity and protect the interests of customers and stakeholders.

Operational Resilience Framework

Financial institutions are expected to establish an operational resilience framework that integrates people, processes, and technology to enhance their overall resilience.

The framework should include the following components:

Governance and Accountability

The board and senior management should demonstrate clear responsibility and accountability for operational resilience. They should oversee and approve the institution's operational resilience strategy, policies, and risk tolerance levels.

Risk Identification and Assessment

Financial institutions should identify and assess the potential risks and vulnerabilities associated with their critical business services, processes, and systems. This includes conducting regular impact assessments and scenario analyses to understand the potential consequences of operational disruptions.

Business Impact Tolerance

Institutions should define their business impact tolerance, reflecting the maximum tolerable disruption to critical services, processes, and systems. This determination should consider the institution's risk appetite, customer expectations, and market conditions.

Planning and Strategy

Institutions should develop robust and comprehensive plans to address operational disruptions effectively. Considering various scenarios and potential impacts, these plans should cover incident response, crisis management, and business continuity.

Testing and Validation

Regular testing and validation exercises should be conducted to evaluate the effectiveness of the operational resilience framework. Institutions should identify gaps, areas for improvement and implement corrective actions based on the test results.

Reporting and Communication

Institutions should establish clear lines of communication and report for operational disruptions. This includes promptly reporting incidents to the HKMA and maintaining effective communication with customers, stakeholders, and regulatory authorities.

Role of the Board and Senior Management

The guidelines emphasise the board's and senior management's crucial role in ensuring operational resilience. They should demonstrate strong leadership, establish a culture of resilience, and promote effective governance practices within the organisation. Key responsibilities include:

Setting the Operational Resilience Strategy

The board and senior management should define the institution's strategic objectives regarding operational resilience, aligning them with the overall business strategy.

Risk Management Oversight

They should oversee the identification, assessment, and management of operational risks, ensuring appropriate risk controls and mitigation measures are in place.

Resource Allocation

The board and senior management should allocate sufficient resources, including budget, staff, and technology, to support the implementation and maintenance of the operational resilience framework.

Monitoring and Reporting

They should establish mechanisms to monitor the effectiveness of the operational resilience framework and receive regular reports on key resilience indicators and performance metrics.

Determining Operational Resilience Parameters

Financial institutions should establish operational resilience parameters to define the levels of resilience required for their critical business services, processes, and systems. These parameters should be determined based on factors such as:

Criticality and Impact

Institutions should consider the criticality and potential impact of a disruption on customers, financial stability, and the broader economy.

Recovery Time Objectives (RTOs)

RTOs specify the maximum tolerable downtime for critical services, processes, and systems, guiding the planning and recovery strategies.

Recovery Point Objectives (RPOs)

RPOs define the maximum acceptable data loss in case of disruptions, guiding data backup and recovery measures.

Dependencies and Interconnections

Institutions should consider the dependencies and interconnections between their internal and external systems and third-party service providers to ensure comprehensive resilience.

Mapping Interconnections and Interdependencies

Financial institutions must map the interconnections and interdependencies that underlie their critical operations. This includes identifying the key business services, processes, systems, and resources, both internal and external, on which their operations rely.

By mapping these interconnections, institutions can understand the potential impact and dependencies in the event of disruptions. This knowledge enables them to identify vulnerabilities and implement appropriate measures to enhance resilience.

Preparing for and Managing Risks to Critical Operations Delivery

Financial institutions should proactively prepare for and manage risks that could affect the delivery of critical operations.

This involves robust risk assessments to identify potential threats, vulnerabilities, and impacts. Institutions must establish risk management frameworks that identify, measure, monitor, and mitigate risks. These frameworks should align with the institution's risk appetite and regulatory requirements. By effectively managing risks, institutions can enhance their ability to withstand disruptions and ensure the continuity of critical operations.

Testing Ability to Deliver Critical Operations under Severe but Plausible Scenarios

Financial institutions must test their ability to deliver critical operations under severe yet plausible scenarios.

This includes scenario-based exercises to simulate disruptions and assess the institution's response and recovery capabilities. Testing should cover various aspects, such as incident response, crisis management, communication, and business continuity. Regular testing helps identify weaknesses, refine response plans, and enhance the institution's overall operational resilience.

Responding to and Recovering from Incidents

Financial institutions should establish robust response and recovery plans to address operational incidents effectively.

This involves defining clear roles, responsibilities, and escalation procedures to ensure a coordinated response. Institutions should also establish mechanisms for timely communication with stakeholders, including customers, regulators, and relevant authorities.

By promptly responding to incidents and implementing effective recovery measures, institutions can minimise the impact on critical operations and expedite the restoration of services.

Implementation of Operational Resilience Requirements

Financial institutions are expected to implement operational resilience requirements throughout their organisation.

This includes embedding a culture of resilience, providing appropriate training and awareness programs for employees, and integrating operational resilience considerations into decision-making processes.

Institutions should allocate sufficient resources to support the implementation of operational resilience requirements and establish mechanisms for monitoring, reporting, and ongoing improvement.

Conclusion

The HKMA's guidelines on operational resilience provide financial institutions in Hong Kong with a comprehensive framework to strengthen their operational resilience.

By considering the general principles outlined in these guidelines, institutions can develop robust operational resilience frameworks that ensure the continuity of critical operations and protect the interests of customers and stakeholders.

Implementing these guidelines is essential for maintaining the financial system's stability and safeguarding the reputation of financial institutions in Hong Kong.

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

Moh Heng Goh

ORA [Plan] Questionnaires: Anaylse Gap for Incident and Crisis Management

audit, Operational Resilience

ORA [Plan] Questionnaires: Analyse Gap for Incident and Crisis Management

Jun 15, 2023 7:48:42 PM

Analyse the Gap

OR_Plan_Update Diagram

What is Incident and Crisis Management?

Incident Management or IM refers to an organisation's activities to identify, analyze and correct threats.

Crisis Management or CM is the overall coordination of an organization's response to a crisis in an effective, timely manner, intending to avoid or minimize damage to the organization's profitability, reputation, or ability to operate.

This section is the "Plan" phase of the Operational Resilience Planning Methodology. It is the second stage of the Plan phase: Analyse Gap.

Audit Checklist for Analysing the Gap for Incident and Crisis Management

1. Crisis Management Structure

Is there a documented crisis management structure in place?
Are the structure's roles, responsibilities, reporting lines, and chain of command clearly defined?
Have alternates been designated for primary representatives in case of unavailability?
Are there regular training and awareness programs for personnel involved in the crisis management structure?

Checklist

Check if there is a documented crisis management structure.
Verify if roles, responsibilities, reporting lines, and chain of command are clearly defined within the structure.
Assess if alternates have been designated for primary representatives.
Review training and awareness programs for personnel involved in the crisis management structure.

2. Triggers and Activation Criteria

Are there pre-defined triggers and criteria for activating the crisis management structure?
Are these triggers and criteria reviewed and updated periodically to reflect organisational risk landscape changes?
Is there a mechanism for timely monitoring and identification of triggers to activate the crisis management structure?
Has the effectiveness of the triggers and activation criteria been tested through simulations or exercises?

Checklist

Determine if there are pre-defined triggers and criteria for activating the crisis management structure.
Verify if these triggers and criteria are reviewed and updated periodically.
Assess the mechanism for monitoring and identifying triggers to activate the crisis management structure.
Review simulations or exercises to test the effectiveness of the triggers and activation criteria.

3. Crisis Management Plans and Procedures

Are there comprehensive crisis management plans and procedures in place to guide actions and decisions during a crisis?
Have the crisis plans been developed based on a thorough assessment of potential risks and scenarios?
Are the plans regularly reviewed, updated, and tested for their effectiveness?
Are there clear guidelines on the roles and responsibilities of senior management during a crisis?
Is there a process for post-crisis evaluation and improvement of the crisis plans and procedures?

Checklist

Check if comprehensive crisis plans and procedures are in place to guide actions and decisions during a crisis.
Verify if the crisis plans are based on a thorough assessment of potential risks and scenarios.
Assess whether the plans are regularly reviewed, updated, and tested for effectiveness.
Review guidelines on the roles and responsibilities of senior management during a crisis.
Determine if there is a process for post-crisis evaluation and improvement of the crisis plans and procedures.

4. Tools and Processes for Situation Assessment

Are there tools and processes in place to facilitate timely updating and assessment of the latest situation during a crisis?
Is there a dedicated team responsible for gathering, analysing, and disseminating information to support decision-making?
Are the tools and processes regularly tested and updated to ensure their effectiveness?
Is there a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment?

Checklist

Determine if tools and processes are in place to facilitate timely updating and assessment of the latest situation during a crisis.
Assess if a dedicated team is responsible for gathering, analysing, and disseminating information to support decision-making.
Verify if the tools and processes are regularly tested and updated.
Determine if there is a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment.

5. Stakeholder Communication

Is there a list of internal and external stakeholders to be informed when a critical business service is disrupted?
Are communication plans and requirements documented for each stakeholder group?
Do the communication plans include criteria for determining the severity and timing of notifications?
Are there predefined communication channels for efficient stakeholder communication, such as email distribution lists or notification systems?
Are alternative communication channels identified and documented in case the primary channels are unavailable?

Checklist

Verify if there is a list of internal and external stakeholders to be informed when a critical business service is disrupted.
Review communication plans and requirements documented for each stakeholder group.
Assess if the communication plans include criteria for determining the severity and timing of notifications.
Verify if there are predefined communication channels, such as email distribution lists or notification systems, for efficient communication with stakeholders.
Determine if alternative communication channels have been identified and documented in case the primary channels are unavailable.

6. Mainstream and Social Media Communication

Are communication channels effectively established to reach stakeholders through mainstream and social media platforms?
Are designated personnel responsible for managing communications on these channels during a crisis?
Are there guidelines or protocols to ensure consistent and accurate messaging through mainstream and social media?

Checklist

Assess if there are established communication channels to effectively reach stakeholders through mainstream and social media platforms.
Verify if designated personnel manage communications on these channels during a crisis.
Review guidelines or protocols to ensure consistent and accurate mainstream and social media messaging.
Assess if there are mechanisms to monitor and respond to public sentiment and feedback during a crisis.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases. If this occurs, the questionnaires and checklists must be contextualised to the topic under review.


Questionnaires and Checklist "Plan" Phase	Assess Capability and Maturity	Analyse Gap	Develop Strategy Roadmap	Confirm Risk Appetite	Develop and Embed Governance

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

Please feel free to send us a note if you have any of these questions.

Moh Heng Goh

audit, Operational Resilience

ORA [Plan] Questionnaires: Analyse Gap Concentration Risk

Jun 15, 2023 5:52:57 PM

Analyse the Gap: Concentration Risk

OR_Plan_Update Diagram

What is Concentration Risk?

Concentration Risk refers to the vulnerability and potential impact that arises from a significant dependence or concentration of critical operations, resources, or dependencies within an organization.

It occurs when there is an overreliance on a single point of failure or a limited number of entities, systems, or processes that, if disrupted, could significantly impact the organization's ability to deliver its critical services or functions.

This section is the "Plan" phase of the Operational Resilience Planning Methodology. It is the second stage of the Plan phase: Analyse Gap.

These questions, checklists, and details should help assess the concentration risk and operational resilience measures related to primary-secondary site operation, critical business functions segregation, split team and backup team arrangements cross-training cross-border support, and alternative service provider considerations and requirements of the MAS BCM Policy.

Audit Checklist for Analysing the Gap: Concentration Risk

1. Primary-Secondary Site Operation

Are primary and secondary sites geographically distant enough to mitigate the impact of a localised event?
Is there a documented plan for transitioning operations from primary to secondary sites?
Has the secondary site been tested for readiness and functionality?
Are the necessary infrastructure and resources available at the secondary site?
Are there redundant systems in place to ensure seamless operations during the transition?

Checklist

Verify if the primary and secondary sites are geographically distant enough to mitigate localised events.
Review the documented plan for transitioning operations from primary to secondary sites.
Assess if the secondary site has been tested for readiness and functionality.
Verify the availability of necessary infrastructure and resources at the secondary site.
Assess the presence of redundant systems to ensure seamless operations during the transition.

2. Critical Business Functions Segregation

Are critical business functions identified and documented?
Is there segregation of critical business functions across different locations?
Have dependencies between critical business functions been assessed and addressed?
Is there a contingency plan to maintain critical business functions during disruption at one location?
Are there regular tests or drills to validate the effectiveness of critical business function segregation?

Checklists

Determine if critical business functions have been identified and documented.
Assess the segregation of critical business functions across different locations.
Review the assessment and addressing of dependencies between critical business functions.
Verify the existence of a contingency plan to maintain critical business functions in case of disruption at one location.
Assess the regular testing or drills to validate the effectiveness of critical business function segregation.

3. Split Team and Backup Team Arrangements

Are split team arrangements established to ensure business continuity in the event of staff unavailability?
Is there a clear communication plan for coordinating split team operations?
Are backup teams identified and trained to take over in case of primary team unavailability?
Has the effectiveness of split and backup team arrangements been tested in simulated scenarios?
Are there documented procedures for transitioning between primary and backup teams?

Checklists

Verify the establishment of split team arrangements to ensure business continuity during staff unavailability.
Assess the presence of a clear communication plan for coordinating split team operations.
Review the identification and training of backup teams to take over in case of primary team unavailability.
Verify the testing of the split team and backup team arrangements in simulated scenarios.
Assess the availability of documented procedures for transitioning between primary and backup teams.

4. Cross-Training

Are employees cross-trained to perform multiple roles within critical business functions?
Is a training program in place to ensure employees have the necessary skills for cross-functional roles?
Are cross-training records maintained for tracking employee capabilities?
Is cross-training periodically tested or validated through drills or exercises?
Are there escalation procedures in place to address skill gaps during disruptions?

Checklists

Determine if employees are cross-trained to perform multiple roles within critical business functions.
Assess the presence of a training program to ensure employees have the necessary skills for cross-functional roles.
Review the maintenance of cross-training records for tracking employee capabilities.
Verify the periodic testing or validation of cross-training through drills or exercises.
Assess the presence of escalation procedures to address skill gaps during disruptions.

5. Cross-Border Support

Are there dependencies on systems, processes, or resources located in other countries?
Are the risks associated with cross-border dependencies identified and assessed?
Is there a contingency plan in place to address disruptions in cross-border support?
Have legal, regulatory, or compliance considerations related to cross-border operations been addressed?
Are there alternative arrangements or redundancies for critical cross-border dependencies?

Checklists

Determine if there are dependencies on systems, processes, or resources in other countries.
Assess the identification and assessment of risks associated with cross-border dependencies.
Verify the presence of a contingency plan to address disruptions in cross-border support.
Review addressing legal, regulatory, or compliance considerations related to cross-border operations.
Assess the presence of alternative arrangements or redundancies for critical cross-border dependencies.

6. Alternative Service Provider

Are alternative service providers identified for critical business functions?
Have due diligence assessments been conducted for alternative service providers?
Is there a documented plan for transitioning to alternative service providers during disruptions?
Are contractual agreements with alternative service providers in place and up to date?
Has the feasibility and effectiveness of alternative service providers been tested or validated?

Checklists


Questionnaires and Checklist "Plan" Phase	Assess Capability and Maturity	Analyse Gap	Develop Strategy Roadmap	Confirm Risk Appetite	Develop and Embed Governance

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

Please feel free to send us a note if you have any of these questions.

Moh Heng Goh

audit, Operational Resilience

Table of Content for Operational Resilience Audit and Review [Cross Reference to MAS BCM Guidelines]

Jun 15, 2023 2:14:00 PM

Operational Resilience Audit Questionnaires and Checklist

Operational Resilience Planning Methodology

Operational Resilience Planning Methodology. The three phases are "Plan", "Implement", and "Sustain." Each phase has five stages.

Click each of the five stages within each phase to find out more about the detailed questions to be asked and the checklist supports it. Note that there is overlap for some of the stages in terms of content.

The rationale is that you, as a reviewer or auditor, will not be conducting the audit of review for all three phases together, and hence, the key controls are still needed to be embedded in several stages.

Click the icon on the right to access MAS BCM Guidelines.


Questionnaires and Checklist "Plan" Phase	Assess Capability and Maturity	Analyse Gap	Develop Strategy Roadmap	Confirm Risk Appetite	Develop and Embed Governance

		5. Concentration Risk			7. Responsibilities of Board and Senior Management


Questionnaires and Checklist "Implement" Phase	Identify Critical Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

	2 Critical Business Services and Functions	4. Dependency Mapping	3. Service Recovery Time Objectives	7. Testing	6. Continous Review and Improvement


Questionnaires and Checklist "Sustain" Phase	Introduce Cultural Change	Develop Communication Strategy	Implement Training and Awareness	Provide Self-assessment	Conduct Independent Quality Review

	7. Responsibilities of Board and Senior Management	9. Incident and Crisis Management (Communication with staff and Stakeholders)			8. Audit